[Devel] [PATCH rh7] ve/cgroups: Allow to attach a single threaded task only into a container

[Cyrill Gorcunov]

In commit e4abbcde75125568a855058f965ad3aa191fe52a we've
allowed to attach non-self into container. Still there
were an assumption that we might need multithreaded
kernel threads to be connected into container (sounds
like a new term in kernel development :-).

Thus lets simplify the test: we only require the
"init" to be moved into a container. The rest of
process tree is usually forked()/cloned() from it
automatically obtaining same container's cgroup.

I leave an old test for kernel thread here because
not sure if lack of it cause any problem. Lets
step safe first.

Signed-off-by: Cyrill Gorcunov <gorcunov at odin.com>
CC: Nikita Spiridonov <nspiridonov at odin.com>
CC: Vladimir Davydov <vdavydov at odin.com>
CC: Konstantin Khorenko <khorenko at odin.com>
CC: Pavel Emelyanov <xemul at odin.com>
CC: Andrey Vagin <avagin at odin.com>
---
 kernel/ve/ve.c |   29 ++++++++++++++++-------------
 1 file changed, 16 insertions(+), 13 deletions(-)

Index: linux-pcs7.git/kernel/ve/ve.c
===================================================================
--- linux-pcs7.git.orig/kernel/ve/ve.c
+++ linux-pcs7.git/kernel/ve/ve.c
@@ -704,7 +704,6 @@ static void ve_destroy(struct cgroup *cg
 static int ve_can_attach(struct cgroup *cg, struct cgroup_taskset *tset)
 {
 	struct ve_struct *ve = cgroup_ve(cg);
-	struct task_struct *task;
 
 	if (!ve->veid)
 		return -ENOENT;
@@ -713,25 +712,29 @@ static int ve_can_attach(struct cgroup *
 		return -EBUSY;
 
 	/*
-	 * We either moving the whole group of threads,
-	 * either a single thread process.
+	 * We allow only one single-threaded process to attach
+	 * into a container, which usually stands for "init"
+	 * process. The rest of processes should be forked
+	 * from the "init".
 	 */
 	if (cgroup_taskset_size(tset) == 1) {
-		task = cgroup_taskset_first(tset);
-		if (!thread_group_empty(task))
+		struct task_struct *task = cgroup_taskset_first(tset);
+
+		if (!thread_group_leader(task) ||
+		    !thread_group_empty(task))
 			return -EINVAL;
-	}
 
-	/*
-	 * Forbid userspace tasks to enter during starting or stopping.
-	 * Permit attaching kernel threads for this containers.
-	 */
-	if (!ve->is_running && (ve->ve_ns || nr_threads_ve(ve))) {
-		cgroup_taskset_for_each(task, cg, tset) {
+		/*
+		 * XXX Still permit attaching kernel threads
+		 * for this container. Wonder if we really need it,
+		 * looks like some legacy code chunk.
+		 */
+		if (!ve->is_running && (ve->ve_ns || nr_threads_ve(ve))) {
 			if (!(task->flags & PF_KTHREAD))
 				return -EPIPE;
 		}
-	}
+	} else
+		return -EINVAL;
 
 	return 0;
 }